An Architecture for Generating Semantics-Aware Signatures

Abstract

Identifying new intrusions and developing effective signatures that detect them is essential for protecting computer networks. We present Nemean, a system for automatic generation of intrusion signatures from honeynet packet traces. Our architecture is distinguished by its emphasis on a modular design framework that encourages independent development and modification of system components and protocol semantics awareness which allows for construction of signatures that greatly reduce false alarms. The building blocks of our architecture include transport and service normalization, intrusion profile clustering and automata learning that generates connection and session aware signatures. We demonstrate the potential of Nemean's semantics-aware, resilient signatures through a prototype implementation. We use two datasets to evaluate the system: a production dataset for false-alarm evaluation and a honeynet dataset for measuring detection rates. Signatures generated by Nemean for NetBIOS exploits had a 0% false-positive rate and a 0.04% false-negative rate.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2006
Accession Number
ADA449063

Entities

People

  • Jonathon T. Giffin
  • Paul Barford
  • Somesh Jha
  • Vinod Yegneswaran

Organizations

  • University of Wisconsin Madison Department of Computer Science

Tags

Communities of Interest

  • Autonomy
  • Cyber
  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Algorithms
  • Anomaly Detection
  • Change Detection
  • Coding
  • Computer Network Security
  • Computer Networks
  • Data Sets
  • Detection
  • Detectors
  • False Alarms
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Military Research
  • Operating Systems
  • Transport Protocols
  • Warning Systems

Fields of Study

  • Computer science

Readers

  • Distributed Systems and Data Platform Development
  • Sensor Fusion and Tracking Systems.